> According to that, your client cert isn't self-signed. > It is apparently signed by the same company, which isn't > the same thing; in X.509 and SSL, self-signed means that > the cert Subject and Issuer,and specifically the subject > KEY and the issuing/signing KEY, are EXACTLY the same.
> What you appear to have is your own 'private' or 'in-house' > CA, which you used to sign a cert for your client. > (Which OpenSSL can do, in several slightly different ways.) > Either way, the server must trust the issuer of the client cert > -- for a self-signed cert this is the client itself, and in your > case it is an entity visibly CLOSE to the client. > commbank.com.au sounds like a bank, and if so I wouldn't be > very optimistic they will trust you to be a CA. If not, > you'll have to get a client cert from a CA they do trust. Thanks Dave for all the advice. You are correct it is a bank and they did say they will trust one CA. At the end of the day apparently what the F5 server guys did was to check the Advertise CA function on the F5 and it started to work. Then they said it was against their security policy, so what they did was to turn it off and the certs still worked. The F5 server guys are still finding the reason for that. Thanks once again for all the explanation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/TLS-unknown_ca-alert-number-48-tp30303596p30355320.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
